Po małej przerwie trzeba się znów zabrać do aktualizacji systemów. Tym razem wykryto błąd w bibliotece OpenSSL. Bezpieczne wersje źródeł do pobrania pod adresem http://www.openssl.org/source/. Pełne advisory obublikowane na liście BugTraq przez Marka J Coxa dostepne poniżej.

  OpenSSL Security Advisory [30 September 2003]    Vulnerabilities in ASN.1 parsing  ================================    NISCC (www.niscc.gov.uk) prepared a test suite to check the operation  of SSL/TLS software when presented with a wide range of malformed client  certificates.    Dr Stephen Henson (steve@openssl.org) of the OpenSSL core team  identified and prepared fixes for a number of vulnerabilities in the  OpenSSL ASN1 code when running the test suite.    A bug in OpenSSLs SSL/TLS protocol was also identified which causes  OpenSSL to parse a client certificate from an SSL/TLS client when it  should reject it as a protocol error.    Vulnerabilities  ---------------    1. Certain ASN.1 encodings that are rejected as invalid by the parser  can trigger a bug in the deallocation of the corresponding data  structure, corrupting the stack. This can be used as a denial of service  attack. It is currently unknown whether this can be exploited to run  malicious code. This issue does not affect OpenSSL 0.9.6.    2. Unusual ASN.1 tag values can cause an out of bounds read under  certain circumstances, resulting in a denial of service vulnerability.    3. A malformed public key in a certificate will crash the verify code if  it is set to ignore public key decoding errors. Public key decode errors  are not normally ignored, except for debugging purposes, so this is  unlikely to affect production code. Exploitation of an affected  application would result in a denial of service vulnerability.    4. Due to an error in the SSL/TLS protocol handling, a server will parse  a client certificate when one is not specifically requested. This by  itself is not strictly speaking a vulnerability but it does mean that  *all* SSL/TLS servers that use OpenSSL can be attacked using  vulnerabilities 1, 2 and 3 even if they don't enable client authentication.    Who is affected?  ----------------    All versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all  versions of SSLeay are affected.    Any application that makes use of OpenSSL's ASN1 library to parse  untrusted data. This includes all SSL or TLS applications, those using  S/MIME (PKCS#7) or certificate generation routines.    Recommendations  ---------------    Upgrade to OpenSSL 0.9.7c or 0.9.6k. Recompile any OpenSSL applications  statically linked to OpenSSL libraries.    References  ----------    The Common Vulnerabilities and Exposures project (cve.mitre.org) has  assigned the name CAN-2003-0545 for issue 1:    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545    and CAN-2003-0543 and CAN-2003-0544 for issue 2:    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544    URL for this Security Advisory:  http://www.openssl.org/news/secadv_20030930.txt  

Archiwalny news dodany przez użytkownika: cborys.
Kliknij tutaj by zobaczyć archiwalne komentarze.

Oznaczone jako → 
Share →